#48986 Test 47808 triggers buffer overflow
Closed: wontfix None Opened 4 years ago by firstyear.

=================================================================
==7590==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200033c9f8 at pc 0x7fee4f62258d bp 0x7fffb403e790 sp 0x7fffb403e780
READ of size 8 at 0x60200033c9f8 thread T0
    #0 0x7fee4f62258c in uniqueness_entry_to_config /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:368
    #1 0x7fee4f6267a8 in uiduniq_start /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:1413
    #2 0x7fee5bd61e38 in plugin_call_func /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2050
    #3 0x7fee5bd61acc in plugin_call_one /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1999
    #4 0x7fee5bd608f2 in plugin_dependency_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1783
    #5 0x7fee5bd61a5b in plugin_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1971
    #6 0x442d21 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:1086
    #7 0x7fee58b70420 in __libc_start_main (/lib64/libc.so.6+0x20420)
    #8 0x40fe59 in _start (/opt/dirsrv/sbin/ns-slapd+0x40fe59)

0x60200033c9f8 is located 0 bytes to the right of 8-byte region [0x60200033c9f0,0x60200033c9f8)
allocated by thread T0 here:
    #0 0x7fee5c1dc0c0 in calloc (/lib64/libasan.so.3+0xc70c0)
    #1 0x7fee5bc7b9ca in slapi_ch_calloc /home/william/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:188
    #2 0x7fee4f621f4f in uniqueness_entry_to_config /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:302
    #3 0x7fee4f6267a8 in uiduniq_start /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:1413
    #4 0x7fee5bd61e38 in plugin_call_func /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2050
    #5 0x7fee5bd61acc in plugin_call_one /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1999
    #6 0x7fee5bd608f2 in plugin_dependency_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1783
    #7 0x7fee5bd61a5b in plugin_startall /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:1971
    #8 0x442d21 in main /home/william/development/389ds/ds/ldap/servers/slapd/main.c:1086
    #9 0x7fee58b70420 in __libc_start_main (/lib64/libc.so.6+0x20420)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/william/development/389ds/ds/ldap/servers/plugins/uiduniq/uid.c:368 in uniqueness_entry_to_config
Shadow bytes around the buggy address:
  0x0c048005f8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048005f8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048005f900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048005f910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048005f920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c048005f930: fa fa fa fa fa fa 00 00 fa fa 03 fa fa fa 00[fa]
  0x0c048005f940: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048005f950: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c048005f960: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048005f970: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c048005f980: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7590==ABORTING

ticket47823_test.py is able to trigger this also.

Agreed. tmp_config->attrs is not NULL terminated... It has to be one sizeof(char ) longer for it. :(
{{{
diff --git a/ldap/servers/plugins/uiduniq/uid.c b/ldap/servers/plugins/uiduniq/uid.c
index 5542ae4..e83c31d 100644
--- a/ldap/servers/plugins/uiduniq/uid.c
+++ b/ldap/servers/plugins/uiduniq/uid.c
@@ -299,7 +299,7 @@ uniqueness_entry_to_config(Slapi_PBlock
pb, Slapi_Entry *config_entry)
}

       /* Store attrName in the config */
  • tmp_config->attrs = (const char *) slapi_ch_calloc(1, sizeof(char ));
  • tmp_config->attrs = (const char ) slapi_ch_calloc(2, sizeof(char ));
    tmp_config->attrs[0] = slapi_ch_strdup(attrName);
    argc--;
    argv++; /
    First argument was attribute name and remaining are subtrees /
    @@ -340,7 +340,7 @@ uniqueness_entry_to_config(Slapi_PBlock
    pb, Slapi_Entry config_entry)
    * - requiredObjectClass
    /
    / Store attrName in the config /
  • tmp_config->attrs = (const char *) slapi_ch_calloc(1, sizeof(char ));
  • tmp_config->attrs = (const char *) slapi_ch_calloc(2, sizeof(char ));
    tmp_config->attrs[0] = slapi_ch_strdup(attrName);
       /* There is no subtrees */
    

    }}}

commit ffda694
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 1.90 KiB | 0 bytes/s, done.
Total 13 (delta 9), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
04a9c89..31c0425 master -> master

I want to describe the flaw in this CVE analysis. The CVE request states:

{{{
A attacker, authenticated, but possibly also unauthenticated, could
possibly force the plugin to read beyond allocated memory and trigger a
segfault.
}}}

This is incorrect. Only an authenticated user, with write access to cn=config, specifically the uiduniq plugin configuration can trigger this. In a default install this is only directory manager. If you are directory manager, you can do so many other things, there is no need to trigger an exploit.

This is why I deemed this a stability issue, not a security issue.

Users who are anonymous or bound from a backend do not have access to trigger this.

Metadata Update from @firstyear:
- Issue assigned to firstyear
- Issue set to the milestone: 1.3.6 backlog

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2045

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

6 days ago

Login to comment on this ticket.

Metadata